Skip to content

compliance-framework/plugin-local-ssh-policies

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
.github/workflows
.github/workflows
 
 
policies
policies
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

SSH policies for use in Compliance Framework Local SSH Plugin

Requirements

Install opa for testing & building the bundles.

Testing

make test

Bundling

Policies are built into bundle to make distribution easier.

You can easily build the policies by running

make build

Running policies locally

opa eval -I -b policies -f pretty data.compliance_framework <<EOF 
{
  "passwordauthentication": [
    "yes"
  ],
  "permitrootlogin": [
    "with-password"
  ],
  "pubkeyauthentication": [
    "no"
  ]
}
EOF

Writing policies.

Policies are written in the Rego language.

package compliance_framework.deny_password_auth

import future.keywords.in

violation[{}] {
	"yes" in input.passwordauthentication
}

title := "SSH should disable password based authentication"
description := "Password based SSH authentication is considered insecure. Key-based authentication should be used to secure remote access to sensitive hosts"
labels := {
    "severity": "high"
}

About

Local SSH policies for use in Continuous Compliance

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 14

v0.2.0 Latest
Jul 9, 2025
+ 13 releases

Packages

 
 
 

Contributors 4

  •  
  •  
  •  
  •  

Languages